THE BEHAVIOUR OF NUCLEAR FUEL DURING SEVERE ACCIDENT PROCESSES

XIII. évfolyam 3. szám 2018. szeptember THE BEHAVIOUR OF NUCLEAR FUEL DURING SEVERE ACCIDENT PROCESSES NUKLEÁRIS ÜZEMANYAG VISELKEDÉSE SÚLYOS BALESETI FOLYAMATOK ESETÉN MANGA László (ORCID ID: 0000-0003-1672-7629) mangalaci@indamail.hu Abstract The issue of safety is paramount for nuclear power plants. The lessons learnt from previous nuclear accidents and the achievements in modern science and technologies drive nuclear professionals to attempt further reducing the already low probability of nuclear accidents. A significant component of these efforts is to continuously perform risk analyses and model emergency situations on the currently operating power plants, which can contribute to nuclear safety enhancement. In the following I present such an example from the Paks nuclear power plant. This article highlights the importance of prompt and correct decision-making during different types of emergency situations, and as a result, what is the significance of a welltimed flooding in case of a core-melt accidentt) Keywords: accident management, fuel melt, core damage, intervention time, core flooding Absztrakt Az atomerőművek esetében mindig nagyon fontos kérdés a biztonság. Az eddig bekövetkezett nukleáris balesetek tanulságai, a tudomány- és a technika fejlődése arra sarkallja a szakembereket, hogy az eddig is kis valószínűséggel bekövetkező balesetek kockázatát tovább csökkentsék. Ennek egyik fontos összetevője, hogy a már üzemelő erőműveken is folyamatos kockázatelemzéseket, modellezéseket végezzenek. Ennek köszönhetően tovább növelhető a nukleáris biztonság. A következőkben bemutatok erre egy példát, hogyan működik ez a Paksi Atomerőműben. A cikk rávilágít arra, hogy a különböző jellegű baleseti szituációkban mennyire fontos a gyors és jó döntés és végeredmény képen, milyen jelentősége van - egy esetleges baleset során - az elárasztás időzítésének. Kulcsszavak: balesetkezelés, üzemanyag olvadás, zónasérülés, beavatkozási idő, zóna elárasztás A kézirat benyújtásának dátuma (Date of the submission): 2018.05.28. A kézirat elfogadásának dátuma (Date of the acceptance): 2018.06.05. Hadmérnök (XIII) II1 (2018) 236

INTRODUCTION During the design of nuclear power plants an annual core damage frequency is calculated based on the combinations of different event sequences and operation modes. For the Paks nuclear power plant this number is 5.6 10-5/year [1, 2, 3, 4]. However, other analyses have pointed out that the damage of spent fuel stored outside the reactor core, namely in the spent fuel pool could also cause significant radioactive release. The calculation for the Paks nuclear power plant is 2.27 10-5/year [2, 3, 4). Based on these evaluations it can be deducted, that significant radioactive releases would be attributable to events resulting in the melting of the active core, or the exposure and consequent damage of spent fuel in the spent fuel pool. These special emergency processes will be referred to in the following as accidents. Even though the frequency of occurrence is fairly low, it cannot be disregarded, as the accident consequences would be substantial [5, 6, 7]. In the following I shall describe the prevention and mitigation measures for potential core or fuel damage as well as managing the accident process. DEVELOPING EMERGENCY OPERATING PROCEDURES The Paks nuclear power plant applies Westinghouse type [8] symptom-based emergency operating procedures (ÁOKU) [9, 10]. Table 1 contains the most important characteristics of the Westinghouse accident management system. ACCIDENT MANAGEMENT Event Design basis accident Beyond design-basis accident Objective Remaining within the licensing parameters Systems Accident management type Procedures Application of operational and safety systems within their design basis limits Prevention Prevention of core melting, retaining activity in the containment Event-based accident management Condition-oriented accident management Mitigation of core melt consequences Application of all available systems beyond their design limits Consequence mitigation Accident management procedure Table 1: The accident management characteristics of the Westinghouse procedure system [11] Measures can be categorized in two categories: preventions and consequence mitigations. Preventive measures focus on averting and preventing damage to the core, while the measures of the other category aim to prevent or mitigate the consequences of the core damaging processes. The Westinghouse system covers not only the scope of design basis accidents, but also beyond design-basis emergencies and severe accidents (see figure 1). Hadmérnök (XIII) II1 (2018) 237

Figure 1: The Westinghouse system for managing the different operating and emergency conditions of a nuclear power plant [12] For preventive measures the operational and safety systems of the plant are utilized within their design parameters, and the objective is to maintain the processes within the licensing limits applicable for design basis accidents. For preventive measures also, the application of any piece of equipment can be considered beyond its design basis parameters, which is capable of preventing damage to the core in case of a beyond design-basis accident. Preventive measures can generally be divided into two categories. The first category is when the emergency event can be clearly identified and the process is well-known; for this category event-based emergency procedures apply. In case of events in the second category only the symptoms of the event can be identified. In such cases symptom-based emergency procedures need be applied, where interventions focus on the recovery of the safety functions. For processes that occur after core damage, only symptom-based emergency procedures can be applied to mitigate the consequences of such processes. To achieve the objective, any system can be utilized beyond its design basis parameters. The Paks nuclear power plant has implemented the symptom-based emergency operating procedures that cover the scope of preventive measures [13]. During the development of the emergency operating procedures the safety objectives have been defined [9, 10]. The procedures within the strategy aim to fulfil these safety objectives. Table 2 presents these safety objectives. Hadmérnök (XIII) II1 (2018) 238

Safety objective Preventing the melting of the core Preventing the damage of the reactor pressure vessel Preventing damage to the containment Preventing the release of radioactive materials Function Damaging process Procedure Restricting reactivity Maintaining heat removal Maintaining core cooling Reactor pressure vessel integrity Containment integrity Retaining radioactive materials within the containment Insufficient control Loss of secondary side cooling Loss of primary circuit cooling medium Insufficient cooling Hydrogen combustion Slow over-pressurization Local high temperature Fission products in the containment Primary circuit pressure decrease ECCS recovery Reactor shaft flooding ECCS recovery Ignitors, recombiners Sprinkler, filtered discharge Cooling, door shielding Sprinkler, filtered discharge Table 2: Safety objectives, functions and procedures recommended to achieve the objectives In the following I shall describe the strategic steps to achieve the first two safety objectives. RESTRICTING CORE MELTDOWN, AND PREVENTING THE DAMAGE OF THE REACTOR PRESSURE VESSEL BY INTERNALLY FLOODING THE DAMAGED ACTIVE CORE The flooding of the reactor pressure vessel (RPV) is such an accident management option, which aims to avert the progression of severe accidents to avoid core damage and to prevent the damage of the reactor pressure vessel. The cooling water injected directly into the rector pressure vessel provides direct cooling for the overheated, or molten core and to reduce residual heat or cool down the core melt and to stabilize its temperature. The cooling water necessary for core flooding can be provided through the recovery of the affected core cooling system, or with the use of special water reserves. After losing the original core geometry, the conditions for cooling also change significantly, further thermic and chemical reactions can be expected, and the restructuring and possibly the relocation of the core shall also be considered. Different cooling mechanisms may develop, which provide heat removal at different rates. Parallel with the core meltcooling medium interactions, the core melt also gets in contact with the reactor vessel bottom, that may impair the integrity of the reactor pressure vessel. Hadmérnök (XIII) II1 (2018) 239

Fuel overheating and failure Figure 3 shows the behaviour of nuclear fuel and its degradation mechanism at high temperatures. The most significant parameter of degradation is the fuel cladding and fuel temperature. After the core becomes exposed at a high temperature, the expansion of the fuel cladding is to be expected due to the pressure difference on the inside and outside of the fuel assemblies. The expansion, and the consequent rupture of the fuel cladding depends of the pressure difference (figure 3). At higher pressure rate the cladding damage occurs explosively, with a large rupture. 2800 C UO 2 melts 1950 C 1430 C 1250 C 800 C Zr cladding melts autokatalic oxidization, steel structures melt extensive Zr oxidization cladding damage Figure 3: Expansion and rupture of fuel [14] Consequently, significant zirconium oxidization takes place [15, 16], which also causes temperature increase, and the process becomes self-generating. Due to the oxidization occurring in a water-steam environment and the absorption of hydrogen, the fuel cladding becomes more rigid and the oxide layers start flaking. At approximately 1100 C ferritezirconium eutectoid is created, at 1450 C the ferrite components, at 1850 C the zirconium components, then at 2800 C the fuel itself melts down [3, 4, 17]. The core damage process The Paks Nuclear power plant has modelled in detail the behaviour of fuel and fuel cladding [3, 4] for processes resulting in the loss of the cooling medium. The model was created with the MAAP/VVER program [18]. By following the core damage process in more detail, successful and unsuccessful event sequences could be better distinguished. Hadmérnök (XIII) II1 (2018) 240

To check core damage success criteria, 28 different large diameter pipe rupture cases were considered. According to the divisions applied in probabilistic safety analyses, large diameter pipe ruptures are in the size range of 180mm to 2x492mm. Thus the investigated cases covered four rupture sizes (180, 280, 492 and 2x492 mm) [3, 4]. The program applies the following discrete types for core geometry damage (see figures 4, 5): Type=0 Type=1 Type=2 Type=3 Type=4 fully empty node, from where the active core has been removed, coolable, rod type geometry, structurally damaged, debris type node, partially closed off (candle-like) geometry node, Completely closed off by melt, uncooled node, Type=5 completely molten node. Based on calculation results, it can be determined that without the hydro-accumulators the only way to avoid the core melting process, if the active core can be flooded in time with a large amount of active cooling medium, which can provide continuous cooling to the core and balance out local overheating. In those cases, when the volume of the active cooling medium is insufficient, local overheating and damage occurs at the core sections where the heat load is the heaviest, and where the cooling of the damaged sections is inadequate. Figure 4 shows a case for temperature distribution at different times within the active core. It can be seen that in the first few minutes of the process, without cooling medium, the complete core is overheating rapidly. The injection to the core starts at 330.s, by then the cladding had heated up significantly, and upon the injection of water, the generated steam initiates an explosive, autocatalytic Zr reaction in the hottest regions. The flooding of the core is completed by 600.s, however by then the nodes above the centre line had partially melted and the dripping melt partially or completely closed the lower nodes off from cooling. These isolated nodes can no longer be cooled; thus the melting process continues within. The continuous melting process causes the structure to lose its integrity and the restructuring and relocation of the upper part of the core begins. As the system contains sufficient amount of cooling water, the moving debris remains in a continuously cooled state, however the melting section slowly moves downwards. 10 hours after the accident the upper 2/3 section of the core is damaged, while the melting process continues in the central nodes of the pile. Hadmérnök (XIII) II1 (2018) 241

0 sec 2500 C 2340 C 2180 C 2020 C 1860 C 1700 C 1540 C 1380 C 1220 C 1060 C 900 C 740 C 580 C 420 C 260 C 100 C 3600 sec 15 sec 7200 sec 330 sec Type=0 10200 sec Type=1 Type=2 Type=3 Type=4 Type=5 600 sec 36000 sec Figure 4: Temperature distribution and the core damage process at different times of an event [3, 4] Hadmérnök (XIII) II1 (2018) 242

0 sec 2500 C 2340 C 2180 C 2020 C 1860 C 1700 C 1540 C 1380 C 1220 C 1060 C 900 C 740 C 580 C 420 C 260 C 100 C 300 sec 15 sec 360 sec 180 sec Type=0 420 sec Type=1 Type=2 Type=3 Type=4 Type=5 240 sec 3660 sec Figure 5: Temperature distribution and core damage process at different times of another event [3, 4] Figure 5 shows the temperature distribution of another event. In this case refilling occurs earlier, from 240.s, when the core temperature is lower, thus in this case the intense zirconium oxidation does not result in local core melt and the development of uncooled geometry. After complete flooding, all nodes of the active core can cool off. Therefore, even though significant cladding oxidization occurred, the core remained in coolable condition. Hadmérnök (XIII) II1 (2018) 243

Core collapse and core melt behaviour in the reactor pressure vessel Table 3 contains the timeline of the most important events relating to the melting process [3, 4]. Core collapse occurs fairly soon (2-3 minutes) in case of LOCA (Loss of Coolant Accident) event sequences [19, 20], while in the case of other accident situations this might take up to 30 minutes. The reasons for this phenomenon are the difference in the remanent heat, thermohydraulic parameters, and the differing speed of zirconium-oxidization, which is significantly lower in case of LOEP events. Event LBLOCA SBLOCA LOEP (minutes) (minutes) (minutes) Core exposure 15 181 491 Melting commences 30 212 520 Core collapse start 44 224 551 Core collapse finish 46 227 582 Fuel grid heat-up start 44 224 551 Fuel grid failure 73 250 599 Table 3: Timeline of the melting process and the collapse phase for different accident situations where LBLOCA large diameter pipe rupture, SBLOCA small diameter pipe rupture, LOEP complete loss of power. Following the structural damages of the fuel pile, the core melt and debris sinks to the bottom of the pressure vessel. During the injection the core melt gets into contact with water and is temporarily cooled down. After the damage and meltdown of the structural elements underneath the active core, a debris bed is created at the bottom of the reactor pressure vessel. At the beginning of the injection, the water at the bottom of the pressure vessel boils away, and the debris continues to melt. Figure 6 shows the presumed layout in this status. The basis of the presumption is that the oxides of uranium and zirconium create a so-called molten pool. Heat removal at the side of the RPV forms a thin crust around the pool. According to research findings, the metal content slowly rises to the surface of the oxide pool. The unmelted debris crates a debris bed above the metal layer. The content of the core melt changes dynamically due to the different heat exchange mechanisms. Figure 6: Position of the core melt at the bottom of the RPV [14] Hadmérnök (XIII) II1 (2018) 244

The core melt located at the bottom of the pressure vessel may be cooled to some extent by flooding it with water. Some of the cooling water evaporates as it enters the debris and the cracks in the oxide melt crust. Another potential cooling mechanism is when the cooling water gets into the narrow space between the melt and the reactor vessel wall due to the creeping effect that occurs as the pressure vessel wall heats up. In these spaces heat removal takes place due to the critical heat flux developing in the region. This might provide sufficient cooling for the core melt generating approximately 15 MW energy [3, 4]. Failure of the reactor pressure vessel The location of the damage is not restricted to the bottom of the RPV, especially if the failure occurs at a higher level (figure 7). In such case only the debris or melt above the failure point escapes to the pit bottom. Without cooling, the melt remaining at the bottom of the pressure vessel continues to overheat, which results in the second, catastrophic damage of the RPV. It is important to note however, that due to the first failure, the pressure vessel is already decompressed. Figure 7: Location of the core melt at the bottom of the reactor pressure vessel [14] There are no outlets at the bottom of VVER type pressure vessels, therefore only two damage types need be considered: fracture due to creeping and melt-through. Investigating the potential avoidance of pressure vessel damage Table 4 presents the calculation results for different size pipe ruptures, in which cases the core damage is due to the loss of the emergency core cooling system (ECCS) [3, 4]. Based on this table the necessity of core flooding is certain. The first case is the reference case for RPV damage without flooding, the sixth case is the reference case for the process where the melt is flooded. Calculations generally stopped at the appearance of the primary failure on the reactor pressure vessel. Research only considered such loss-of-coolant initial events, where the primary circuit was at least partially depressurized. In case of high pressure, the considered injection options are limited, and the stress on the pressure vessel wall is also more extensive. Calculations were carried out to the point of primary pressure vessel failure, or if no such failure occurred, until 50400s process time. Only cases 2 and 20 contain information on the times when the second, more catastrophic RPV failure occurred [3, 4]. Analyses were carried out with the use of the MAAP program on the coolability of the molten core, and whether reactor pressure vessel failure can be avoided. The calculation results confirmed that with the timely introduction of the sufficient amount of cooling medium the core can be cooled down and stabile conditions can be achieved, while pressure vessel failure can be avoided even when core damage starts before the injection. Hadmérnök (XIII) II1 (2018) 245

In cases without cooling, the time of pressure vessel failure depends on the initial event. The smaller the rupture size, the slower the core dry-out and the melting process. A pressure vessel failure can occur as late as 16 hours from the initial event. In case of larger ruptures this period is reduced to 5-6 hours. Event Rupture size [mm] Start of injection [s] Rate of injection [kg/s] Time of pressure vessel damage [s] End of calculation [s] Comment 1 100 - - 21600 +1000 2 100 - - 21600 (25700) 50400 3 20 - - 59000 +1000 4 20 54000 10-100800 5 20 58000 10 58500 +1000 6 100 4250 10-50400 7 100 4250 5-50400 8 100 7250 10-50400 9 100 7250 5-50400 10 100 7250 3 14600 +1000 11 100 9000 10-50400 12 100 9000 5 13700 +1000 13 100 10000 10-50400 14 100 11000 10 11900 +1000 11 bars 15 100 11000 15 11600 +1000 16 bars 16 100 11000 30 11400 +1000 24 bars 17 100 12000 10 13800 +1000 18 100 12000 10 14400 +1000 2xSV+RV 19 100 20000 10 20600 +1000 20 100 22000 10 21600 (-) 50400 21 200 - - 18500 +1000 22 200 13000 10-50400 Table 4: Start of pressure vessel failure based on injection parameters Hadmérnök (XIII) II1 (2018) 246

The emergency cooling systems must be recovered or other sources of cooling medium must be utilized within these timeframes to prevent pressure vessel failure. Due to the intense heat generation of the zirconium-steam reaction that occurs immediately after the damage of the active core, the recovery of cooling cannot prevent the melting of the core. When the core melt at the pressure vessel bottom is flooded, depending on the initial rupture size, pressure increase develops. If the pressure vessel wall is overheated by the time flooding starts and cooling is slow, it is possible that the flooding itself will cause the pressure vessel failure. The point of such failure generally occurs not on the bottom of the RPV, but at least one metre higher, thus only part of the core melt can escape the damaged pressure vessel. Continuous cooling ensures that the catastrophic failure of the reactor pressure vessel does not happen. For larger rupture sizes the pressure increase is more moderate, therefore there is a better chance that the intervention is successful. In case of smaller rupture sizes, the pressure vessel wall heats up slower, due to less remanent heat in the core melt and the extended hydro-accumulator injection. Based on the calculations, pressure vessel failure can be prevented with 10 kg/s injection rate within the following intervention times (table 5) [3, 4]: Rupture size Intervention time 20 mm 15.0 hours 100 mm 2.6 hours 200 mm 3.6 hours Table 5: Pressure vessel failure prevention times at 10 kg/s injection rate SUMMARY During emergency situations when core cooling is lost and the fuel overheats, the integrity of the RPV is lost as a result and wall failure occurs. After the extensive overheating of the reactor vessel wall, flooding will also damage the reactor, causing further inhermeticity. The process results in the release of gaseous fission products into the primary circuit. However, the activity of the wall cracks is lower by an order of magnitude than the activity of the gasses remaining in the fuel matrix. Naturally, the objective is to prevent the damage of the fuel pellets, which is only possible with the flooding of the core. The timing of the flooding is important. As there is no information available about the actual physical conditions of core behaviour during an accident, only indirect calculations, flooding must occur as soon as possible to prevent fuel meltdown. The prompt flooding of the core must be part of any accident management strategy, even if fuel meltdown cannot be avoided, as pressure vessel integrity can only be maintained with cooling. REFERENCES [1] INSAG (International Nuclear Safety Advisory Group (1988): Basic Safety Principles for NPPs. Safety Series No. 75-INSAG-3, IAEA, Vienna. https://wwwpub.iaea.org/mtcd/publications/pdf/p082_scr.pdf (date of download: 2018.05.12). Hadmérnök (XIII) II1 (2018) 247

[2] Hungarian Atomic Energy Authority: National Assessment Report (Convention on Nuclear Safety). 2012. http://www.haea.gov.hu/web/v3/oahportal.nsf/2db98a2d49ef15a1c1257beb002 FAF6D/$FILE/CNS_extra_magyar.pdf (date of download: 2018.05.12). [3] VEIKI Rt.: Safety assessment report of the Paks nuclear power plant from the aspect of large volume radioactive releases. Management of the occurrence probability and uncertainty of physical processes. June 2002. [4] KFKI-AEKI, VEIKI Rt.: Safety assessment report of the Paks nuclear power plant from the aspect of large volume radioactive release. Extended study. May 2003. [5] ANTAL Z., VASS Gy., KÁTAI-URBÁN L.: Atomerőmű létesítés tűzvédelmi követelményeinek vizsgálata. Védelem Tudomány, II. évfolyam, 1.szám (2017), ISSN 2498-6194 17-30. p. http://www.vedelemtudomany.hu/articles/02-antal-vasskataiurban.pdf (date of download: 2018.05.12). [6] MANGA L., KÁTAI-URBÁN L., Nukleáris balesetkből levonható tanulságok a tudomány állása I. rész, Bolyai Szemle, XXV. évfolyam, 2016/4 szám ISSN 1416-1443, 120-136. p. https://folyoiratok.uni-nke.hu/document/uni-nke-hu/bolyai-szemle- 2016-04.original.pdf (date of download: 2018.05.12). [7] MANGA L., KÁTAI-URBÁN L., VASS Gy.: A Paksi Atomerőmű nukleárisbalesetelhárítási rendszerének sugárvédelmi célú értékelése. Védelem Tudomány, II. évfolyam, 1. szám (2017), ISSN 2498-6194 152-162 p. http://www.vedelemtudomany.hu/articles/12-manga.pdf (date of download: 2018.05.12). [8] Westinghouse: http://www.westinghousenuclear.com/about/news/features/view/articleid/812 (date of download: 2018.05.12). [9] KFKI-AEKI: Preparations for developing an accident management procedure system. 2003. [10] VEIKI Rt.: Determining the accident management procedure groups. 2002. [11] Bastien R. et al.: Westinghouse Approach to Implement Post-Accident Recovery, ENS TOPNUX 93, The Hague, Netherlands, April 25-28, 1993 [12] VÉGH J.: Az atomerőmű biztonságos üzemeltetésének támogatása on-line folyamatinformációs rendszerek alkalmazásával. Phd. értekezés, KFKI Atomenergia Kutatóintézet, BME Nukleáris Technikai Intézet, Budapest 2003.. http://dept.phy.bme.hu/phd/dissertations/vegh_disszertacio.pdf (date of download: 2018.05.12). [13] Lenkei I.: Westinghouse-type symptom-oriented procedures. Guide for Paks NPP s operators, Paks (1995). [14] Paksi Nuclear power plant: Fuel behaviour during emergency and severe accident processes. Training material, Paks 2004. Hadmérnök (XIII) II1 (2018) 248

[15] DOBOR J.: Iparbiztonság fizikai és kémiai alapjai. Nemzeti Közszolgálati Egyetem, Budapest, ISBN 978-615-5491-06-1, 2014. http://m.ludita.uninke.hu/repozitorium/bitstream/handle/11410/8589/teljes%20sz%c3%b6veg%21?seq uence=1&isallowed=y (date of download: 2018.05.12). [16] PÁTZAY Gy.: Atomenergetika és nukleáris technológia. Egyetemi tananyag, Budapesti Műszaki és Gazdaságtudományi Egyetem, Budapest, ISBN 978-963-279-468-6, 2011. http://www.kankalin.bme.hu/dok/konyvek/atomenergia/atomenergetika_animaciok %20nelkul.pdf (date of download: 2018.05.12). [17] DOBOR J., KOSSA Gy., PÁTZAY Gy.: Atomerűvi balesetek és üzemzavarok tanulságai 1. Hadmérnök. XII. évfolyam, 1. szám (2017) ISSN 1788-1919, 58-71 P. http://hadmernok.hu/171_06_dobor.pdf (date of download: 2018.05.12). [18] Fauske & Associates: Engineering & Testing Services / Nuclear / MAAP Modular Accident Analysis Program, https://www.fauske.com/nuclear/maap-modular-accidentanalysis-program (date of download: 2018.05.12). [19] KÁTAI-URBÁN L., KISS B.: Nukleáris erőművek, mint veszélyes technológiai és az országos nukleáris balesetelhárítási rendszer. Hadmérnök, IX. évfolyam, 3. szám (2014) ISSN 1788-1919, 80-97 p. http://www.hadmernok.hu/143_07_kataiul.pdf (date of download: 2018.05.12). [20] C. Queral, J. Gondzález-Cadelo, G., Jimenez, E. Villalba: Accident management actions in an upper-head small-break loss-of coolant accident with high-pressure safety injection failed, Universidad Politécnia de Madrid, C/Alenza 4, 28003 Madrid, Spain http://oa.upm.es/11398/2/inve_mem_2011_104764.pdf (date of download: 2018.05.12). Hadmérnök (XIII) II1 (2018) 249